In our ‘meet the hacker’ series, we’re taking the time to talk with Intigriti community members that have an impressive track record, an unusual methodology or have made valuable contributions to the community. This time, we were talking with Samuel Eng, who is one of the most experienced hackers out of Singapore.
Hi Samuel! Please tell us a bit about yourself, who is Samuel Eng?
Hi everybody.
I am Samuel from Singapore. I am currently working as a security engineer at Bytedance. So, like most hackers today, I am self-taught. I started to get hooked on computer security when I had to fix my code in a university project. Eventually, I started my first job as a security consultant. Then I started taking up offensive security certifications like OSCP and OSEE. After that, I switched to bug bounties to challenge myself.
You just mentioned the term bug bounty. When was the first time in your life that you heard about Bug Bounty?
Actually, I can’t really remember. I think it was when I googled how to improve my hacking skills. I discovered the hacktivity feeds from various platforms. Eventually, I just honed my skills by playing CTFs. And bug bounty was a bit like a CTF, but to my surprise that you can earn some cash from finding bugs too.
So, really happy about bug bounty platforms, giving everybody a chance to earn some extra cash and learn as well.
Do you remember the first bug that you’ve submitted to a program?
If you’re talking about valid bugs, then definitely. It was a blind SQL injection. I was actually pretty excited about that. I got my first bounty. It was like 1k, so I was really happy.
Of course, I have to admit that I submitted rubbish bugs too. They were closed really quickly. But I learned along the way. I guess we all have had that situation, but it’s actually pretty embarrassing, when I look in my own inbox from four years ago.
How many hours do you approximately spend on hunting vulnerabilities and bug bounties?
In my first few years of bug bounty, I guess I have spent around four hours a day after work to hunt. So, this is without including weekends. So, I actually managed to get up to quite a high ranking with this strategy. But recently, I have less time because of my work. I took up a new role and now only take part in bug bounty challenges.
In my first few years of bug bounty, I guess I have spent around four hours a day after work to hunt.
I’m always a little interested in the local situation of our guests. How big is the hacking scene in Singapore? Can you tell us a little bit about that?
If you’re talking about pentesters, I think there is quite a significant number here in Singapore. There are actually a lot of pentesting companies in Singapore and third-party consulting services. They are everywhere.
If we are talking about bug bounty hunters, really not much, just a handful. The most famous one is probably Spaceraccoon, but there are also a few others. I think Covid has made it really hard though to hang out together. But we did take part in hacking challenges in the past.
Coming back to you, what is the most exciting to you during hacking?
I think if I find a critical bug. I don’t really get excited when I find a medium or low bug. But if I find a critical or high bug, I am definitely pretty excited. I then sometimes report the vulnerability in a rush, which could eventually backfire if the triagers don’t understand the submission.
I can imagine that a good RCE makes you feel super happy. We are obviously having a lot of beginners who read our blog. What do you recommend them? What is the first thing you do when you approach a target?
I think most people recommend recon. But the basics have to be done first. I find that most people just recon 90% of the time and eventually don’t hack at all. So, I think the first thing we need to know about are the basic fundamentals.
Of course, the attitude is very important as well. It’s important to have two things. I call it the “DD” – Be desperate and determined. Basically, if you’re not desperate and determined enough, you will not find anything.
What is your favourite tool for hacking without saying Burp Suite (loud laughs)?
Ahh, you caught me right there. I wanted to say Burp Suite. Besides that, I use the dev tools a lot. In my role at Bytedance, I am in charge of client-side security. Here, I require expertise using the dev tools, mainly trying to understand Javascript better. I use it a lot actually.
Have you had a mentor at any point in time during your hacking career?
Like most people, I did not have a mentor. I wish I would had though. I do have people I look up to however, like filedescriptor or Frans Rosén. Those guys are really great. I learned a lot from them.
Okay, I do have a couple of “Would you rather” questions for you? Here we go! Would you rather collaborate and split the bounty or get the full bounty for yourself?
Actually, for me, definitely collaboration because I don’t really care about money nowadays. It’s not that I am rich, but I find that it gives me a sense of satisfaction when a team is working on a bug, and we have success.
It gives me a sense of satisfaction when a team is working on a bug, and we have success
Alright, one more. Would you rather save your reward money and buy yourself a Tesla or would you save it up for a house?
Definitely for a house because in Singapore there are no Teslas (laughs).
Oh, I did not know that. Well, thank you very much Samuel for taking the audience together with me on your journey. That was great. I really appreciate everything you told us today. Do you have any shoutouts or final words?
I want to thank Intigriti, especially for their bug bounty blog called “Bug Bytes”. It gives me updates about the security industry and saves me a ton of time.
Everybody knows that the security industry moves really quickly, and information gets updated regularly. Here, it is important to have a compilation of knowledge in a blog where pentesters or bug bounty hunters can step by and read about new techniques.
Did you like the short form of the interview? Do you want to hear more from Samuel? Watch the full conversation between Pascal and Samuel right now on Youtube:
